Time Stamps, Digital Traces and Forensic Evidence - TID

The scientific understanding of digital evidence is currently weak. In order to improve the evidential quality of digital evidence it is of vital importance to increase the scientific understanding of digital evidence. Digital time information is one of t he most important evidence items currently not scientifically understood. Since digital forensics relies heavily on the ability to produce timeline of events, it is of outmost importance to improve the understanding of time stamps on computer systems in an evidential context. It is desirable to: - Produce documentation on different time stamp formats and storage areas. - Produce documentation on time reference systems and timezone systems - Conduct research on how system operations affect time stamps in a file system - Conduct research on how timestamps may become erroneous and how this may happen. - Find methods for the discovery of erroneous time stamps. One or several methods should be found which can indicate or make sure that timestamps are wrong d ue to error, inaccuracy or manipulation. Such methods will most likely be based on analysis of all time stamps on a medium using statistical and/or data mining methods. Based on such research a methodology for treatment of time stamps in digital evidence can be established. With such a methodlogy, it will be possible to conclude with greater certainty when constructing a timeline of events based on digital evidence The project will be realized in collaboration between the research institutions NTNU and PURDUE, the law enforcement unit ØKOKRIM and the private companies Ibas ASA and FAST ASA. This project is associated with the cross-faculty Research Programme in Information Security organized within the strategic focus area of ICT established at NTNU, an d run by five NTNU Departments: Telematics, Computer and Information Science, Mathematical Sciences, Industrial Economics and Technology Management, and Electronics and Telecommunication.